Educating the maritime industry on the cyber-‘icebergs’

Seafarers are generally trained to conduct one or two specific jobs whilst at sea, most of which generate electronic data that is captured, communicated and stored by means of some system; however, these seafarers are not usually fully educated or trained to do so in a cybersecure manner.

Opinion piece by Prof Rossouw von Solms from the South African International Maritime Institute (SAIMI)

Cyberthreats, or as I refer to them in the maritime context, cyber-‘icebergs’, are ever-present. Such threats encompass several malicious activities that can potentially affect all computer systems, networks and associated data. Such activities may be intentional or unintentional and may originate from seafarers on board or off-board attackers.

Unintentional malicious activities usually stem from negligence, ignorance or a lack of education on the part of a legitimate user, while intentionally malicious activities generally stem from some form of cyberattack by a malicious party. Cyberattacks may come in the form of malware, phishing emails, social engineering, honey traps and many more. In all cases, the aim of the cyberattack is to breach system security and achieve certain goals, ranging from ransomware, denial of service, jamming signals, among other. Successful cyberattacks can lead to financial losses, disruption of services, and loss of GPS signals, among other things.

The introduction of sound cybersecurity measures to protect on-board IT systems from being breached by malicious, intentional cyberattacks is one of management’s main responsibilities. However, many system security breaches are facilitated by the negligence or ignorance of legitimate seafarers, owing to a lack of proper education. Thus, seafarers may unintentionally render cybersecurity vulnerable, eventually enabling a successful cyberattack that is obviously detrimental to the vessel, its owner, and the freight and the people on board.

…many system security breaches are facilitated by the negligence or ignorance of legitimate seafarers, owing to a lack of proper education.

On the evening of 14 April 1912, the ‘unsinkable’ Titanic hit an iceberg and sank. Word has it that two other ships sent messages to the Titanic warning it about icebergs. Apparently, radio operators were so busy relaying passengers’ messages to shore that the one warning of a huge iceberg in the vicinity was never conveyed to the bridge. Another radio operator reprimanded another ship for disturbing him as he was busy handling passengers’ messages.

It is clear that human error, ignorance and incompetence can lead to breaches in system security that may eventually lead to disaster. The case of the Titanic highlights that a vessel’s communication channel(s) should ideally not be used for both operational functions and non-critical, social purposes.

Seafarers are generally trained to conduct one or two specific jobs whilst at sea, most of which generate electronic data that is captured, communicated and stored by means of some system; however, these seafarers are not usually fully educated or trained to do so in a cybersecure manner. Therefore, the ignorance or incompetence to securely operate cyber-oriented systems is a huge vulnerability for cybersecurity and eventually the vessel.

Further, the fact that seafarers, when off duty, in many cases use the same communication link for social entertainment, recreation and communication as the vessel uses for critical operation tasks, like navigation, collecting weather information, etc. makes that communication channel prone to cyberattacks.

The bottom line is, ensure that seafarers are all properly cybersecurity aware and competent. If not, seafarers can be seen as part of the cyber-iceberg.